Health Library
Health Library

Q&A with Leo Cunningham, CISO of Flo Health

“At Flo, we have a world class privacy and security function where we look at the best technologies, training, and education to ensure we reduce as much risk as possible.”

Leo Cunningham
CISO of Flo Health

Tell us a bit about yourself! 

I live just outside of Edinburgh. One fun fact that some may not know about me is that I’ve been a singer in a few bands where I live in my home town of Glasgow, but sadly nothing famous! I start my days at 6am, review Slack for an hour, then spend time with my Son as he usually wakes up at 7am. At about 8am, I get everyone ready for the day and then I jump into work.


What led you to becoming interested in Cyber security? 

As a consumer of technology I was always fascinated by how someone could break or disrupt the stuff that I used, so I dabbled in computing and ethical hacking to see if I could replicate what I was reading about. My career progressed from ‘process engineering’ to ‘risk management’ and being exposed to large technology vendors. From there, I learned more about security and how these vendors would work in regulated environments and what they had to do in order to be compliant with security.


What does a typical day look like for you?

Each morning I meet with our Cloud Security Lead, Application Security Engineer and our Security Governance and Compliance Lead to discuss any current issues that need to be addressed. We also plan our week based on fortnightly sprints where we try to achieve as much as we can over this period. This includes Security enhancements, staff training, looking at threats and understanding how to mitigate threats against our Cloud and Application layer. I also meet regularly with our CTO and DPO to review security and privacy work that we are carrying out to improve our services. I typically finish at about 4 or 5pm.


What would you say are the top three priorities as a CISO?

At a high level, my role is to look at our strategy, our processes and enhancements across Flo Health regarding Security. I also provide support to our Privacy Team to assist with Security and Privacy crossover. My top three priorities include:


1. Helping Flo Health adopt a data-driven Security approach. This helps the company understand our decision process and why security is important, as we can quantify the risk posed and detail the How and Why.


2. Increase visibility into our Cybersecurity posture so we know where our gaps are and where we need to improve as we cope with an ever changing landscape with Cyber threats.


3. Being a business enabler and not disabler when it comes to Security. Security should support the business when making the right decisions.


How did your security strategy at Flo take shape and what were your priorities when you started? How have they evolved over time? 

My priorities were to understand Flo as a company, our processes, our technology, and the people who work here and to understand our user journey. This helped me understand all the key components that security must protect. From here, I look at areas of improvement and areas where we have done really well and continue to support others on maintaining this. My goal is to automate as much as possible to make life easier for everyone. In the future, I hope to create a Security as a Service where people utilise our services e.g. testing, education and initiatives.


What are the biggest challenges you face as a CISO and how do you overcome these challenges? 

I would say the biggest challenge is the rate at which vulnerabilities are being exposed and how attack methods are constantly changing. In order to stay on top of the latest trends, I subscribe to various sites and mailing lists. I am also a member of The International Information System Security Certification Consortium (ISC2) which constantly updates its members on Security events.


Part of my role at Flo involves preventing attacks from taking place. We look to understand how an attack occurs and why. By understanding this through our intelligence that we create from AWS and our applications, we can stop attacks in motion almost instantly. We take these learnings and fine tune our intelligence to make services better and to anticipate specific attack types. We also use automation throughout the technology stack to scan for vulnerabilities, so these are captured before a software release or deployment. We also constantly educate Staff on Security issues and potential threats that are out there so Staff are better prepared if an event occurs.


Where do you see the future of cybersecurity heading, be it threats, technology, or trends? 

I imagine in the future we will see weaponized malware that is designed specifically for your company. Beyond this, we’ll start to see an increase in criminal enterprises or advanced persistent threat groups, who are guns for hire off the dark web. I think we’ll also see an increase in A.I. and M.L. being used for cyber crimes.


What would you say to Flo users who are worried about data privacy/security? 

It’s natural to be worried about data privacy and security as this is your prerogative when using a service that connects to the internet. At Flo, we have a world class privacy and security function where we look at the best technologies, training and education to ensure we reduce as much risk as possible. We are also hiring world class talent to ensure they have the skill sets to cope with privacy and security related issues to ensure we deliver the best service possible. My role as CISO is to protect User information and ensure we have the right approach when dealing with Security related events.